Information System Survivability ENPM 808s

Information Systems Survivability Course ENPM 808s

University of Maryland Professional Master of Engineering Program (ENPM)
Thursdays, 7:00pm-9:40pm, 2 September to 9 December 1999
Engineering Annex Building room 0307

This course is being given with considerable inspiration and support from the Army Research Lab (ARL), for whom much of the material was developed.

The most recent version of this description is maintained on-line at http://www.csl.sri.com/neumann/umd808s.html.

The class lecture notes are on-line at http://www.csl.sri.com/neumann/umd.html . Each lecture represents approximately a different subfile, which can be printed or downloaded individually.

Background

Information Systems Survivability (INFOSURV) is the ability of a computer-communication system-based application to satisfy and to continue to satisfy certain critical requirements in the face of adverse conditions. Survivability is defined with respect to the set of adversities that are supposed to be withstood. Types of adversities include hardware faults, software flaws, attacks on systems and networks perpetrated by malicious users, and electromagnetic interference. The goal for INFOSURV research is to obtain systems and networks that can prevent a wide range of systemic failures as well as penetrations and internal misuse, can tolerate failures or misuses that are not prevented, and can detect failures and misuses that cannot be tolerated.

Purpose of this Document

This is a "living" document, which outlines a new system/network-oriented course on information systems survivability. All administrative issues concerning admission, enrollment, tuition and specifics of U Md's degree/certificate granting, graduate level program are under the control of the Clark School of Engineering, and the registrar, U Md. The course listings and descriptions may be revised by U Md to meet academic requirements. The most current course information is at http://www.csl.sri.com/neumann/umd808s.html. This file is likely to become the index file for the entire course materials as well.

ARL Origins

The concept for the INFOSURV course grew out of a research project in Information Survivability that is being directed by Paul Walczak in association with Tony Barnes at the Army Research Lab. ARL's objective in sponsoring this course is to develop a new academic discipline for information systems engineering that incorporates survivability attributes from the outset, and throughout, the design and development processes. Dr. Peter Neumann of SRI is the principal investigator, and will be the primary instructor of the course described herein. (His CV appears at the end of this document.) A completed report for the first year's effort entitled "Practical Architectures for Survivable Systems and Networks", is available on-line at:
http://www.csl.sri.com/neumann/arl-one.html (for Web browsing)
http://www.csl.sri.com/neumann/arl-one.ps (PostScript)
http://www.csl.sri.com/neumann/arl-one.pdf (Adobe Acrobat Reader)

Course Goal

The primary goal in developing this course is to expand the concepts outlined in the "Practical Architectures for Survivable Systems and Networks" report into an academic discipline, providing students with a broader perspective of critical system requirements that encompasses survivability, security, reliability, fault tolerance, and performance, within one common approach.

Scope, Prerequisites

At the moment, no formal prerequisites are planned other than the equivalent of a good computer-science undergraduate degree that is presumably necessary to get into the graduate school computer-science department (see "Admission to Program" under "University of Maryland Curricula," below). In a sense, this course can serve as a broadly based introduction to the other courses that deal in greater detail with the subtended issues (software engineering, security, fault tolerance, etc.). In another sense, some sophistication on the part of the students would be appropriate, to appreciate the combination of experience and abstraction that is necessary to deal with survivability issues in their proper perspective.

It is important to ensure that the impact of the INFOSURV course reaches policy and operational personnel in DoD/gov't and industry, as well as engineers, developers and scientists. Many of the decisions that impact the posture of information systems survivability in the large are made by non-scientist/engineers who are in positions that influence IT implementation (particularly in the acquisition/procurement community). These roles may not be interested at the bit level, but they certainly have the wherewithal to gain a better grasp of the technology-architectural problems that beset the quest for greater information assurance. The degree of "hard engineering" education that is embraced by the INFOSURV curriculum may be tempered to achieve a balance between developing pure engineering skills and those required for organizing and managing IT systems engineering and implementation. While the course is targeted to remain in the school of engineering or computer science, there needs to be arbitrary consideration in the initial offerings of the course for growing the level of awareness for the engineering problem through education of non-engineers.

Peter Neumann's Perspective on INFOSURV Education

Ideally, an academic program incorporating survivability should have elements of survivability and its subtended requirements distributed throughout a considerable portion of the basic curriculum. Survivability is almost never addressed today, and security and reliability are typically specialty subjects, and then only in a few universities. Similarly, software engineering may be taught as a collection of tools, rather than as a coherent set of principles. As a result, from a practical viewpoint, it would be very difficult to achieve a fully integrated approach as an incremental modification to existing course structures. The emphasis in a new graduate level degree program should be on the design of operating systems and networking, and the use of programming languages and software engineering techniques to achieve greater survivability.

The combination of architectural solutions, configuration controls, evaluation tools, and certification of static systems is by itself still inadequate. Ultimately, the demands for meaningfully survivable systems and networks require that considerable emphasis be placed on education and training of people at many different levels - including high-level definers of high-level requirements, those who refine those requirements into detailed specifications, system designers, software implementers, hardware developers, system administrators, and especially users.

The concept of keeping systems simple cannot be successful whenever the requirements are inherently complex (as they usually are). Training large numbers of people to be able to cope with enormous complexity is also not likely to be successful. Although the mobile-code paradigm offers some hopes that education and training can be simplified, many vulnerabilities in the underlying infrastructure require human involvement, especially intervention in emergency situations. In short, there are no easy answers in addressing the challenges of education and training. There is no satisfactory substitute for people who are intelligent and experientially trained. But there is also no satisfactory substitute for people-tolerant systems that can be survivable despite human foibles. The design of systems and networks with stringent survivability requirements must always anticipate the entire spectrum of improper human behavior and other threats. We need intolerance-tolerant systems that can still survive when primary techniques for fault tolerance and compromise resistance fail, irrespective of unexpected human and system behavior. But above all we need people with both depth of experience and depth of understanding who can ensure that the established principles are adhered to throughout system development and maintained throughout system operation, maintenance, and use. [Edited version of text appearing in Appendix A, Practical Architectures for Survivable Systems and Networks, a report prepared for the US Army Research Laboratory, under Contract DAKF11-97-C-0020]

University of Maryland Curricula

The INFOSURV course will be offered as Maryland advanced graduate-level course commencing in the Fall of 1999. The course will also be the core course in a new four-course masters-level certificate program in survivable systems, with a wide choice of the three other courses, and with the option of turning the credits obtained into a regular degree program. In the future we envision a complete graduate-level engineering and/or computer science department sponsored degree program. The following section describes the Clark School of Engineering-University of Maryland proposal for the INFOSURV graduate certificate (credential) program. The recommended deadline for applications to the Professional Master of Engineering Program (ENPM; degree/credential-certificate granting program) is 1 August 1999 for Fall enrollment. Information Systems Survivability Course, Catalog Description ENPM 808S, Information Systems Survivability Fall 1999 URL: http://dione.umd.edu/bin/Vsoc (online registration info at http://www.enpm.umd.edu/fall99.htm).

This course will consider computer-communication system survivability as an overarching requirement, along with the subtended needs for security and reliability. The course will focus on requirements and their interdependencies, vulnerabilities, threats, risks, system and network architectures, and techniques for ensuring dependable survivability in the face of a wide range of adversities including hardware malfunctions, malicious misuse, and unexpected events. Although there are no explicit course prerequisites, a good computer-science undergraduate background and some experience with computer systems and networks is essential. There will be a single course project in lieu of a final exam. The book for the course, P.G. Neumann, Computer-Related Risks, Addison-Wesley, 1995, explores the benefits and pitfalls of computer-communication technology and suggests ways of avoiding risks in critical systems. All other materials for the course will be available on-line.

Admission to the Program

The ENPM Program is open to qualified applicants holding a regionally accredited baccalaureate degree in engineering or a related field. In addition to submitting a Graduate School admission application, a copy of the applicant's college transcripts and three letters of recommendation are required for evaluation. Applicants with an undergraduate GPA of less than 3.0 may be admitted on a provisional basis if they have demonstrated a satisfactory experience in another graduate program and/or their work experience has been salutary.

Those individuals who are not interested in obtaining graduate credit or the credential may apply to the Graduate School as an Advanced Special Student.

U Md Administration and Registration Administrative information regarding application to U Md and/or registration in the INFOSURV course is available through http://www.testudo.umd.edu/.

Credential Program: Information Survivability

The A. J. Clark School of Engineering at the University of Maryland has proposed a Credential Program in Information Survivability. This credential (certificate) program will be offered under the Professional Master of Engineering Program (ENPM). The following list gives one core course and a set of electives from which the student may select three additional courses. These four courses, including the core course, are needed with a cumulative 3.0 GPA for the successful completion of the credential program.

  I. Core: ENPM 808S Introduction to Information Systems Survivability

  II. Electives: 

    ENPM 808N Network Security 
    CMSC 456 Data Encryption
    ENPM 607 Computer System Design and Architecture
    ENPM 608 Software Design and Implementation 
    ENPM 644 Human Factors in Systems Engineering 
    ENRE 600 Reliability Engineering 
    ENRE 648G Software Quality Assurance

Certificate Program Course Descriptions

A U Md graduate catalog description of courses authorized as components to the certificate program follows:

ENPM 808N Network Security (3) Various approaches to design, specification, and verification of security protocols used in large systems and networks. Topics of network security, security threats and countermeasures, communication security and basic encryption techniques, data confidentiality and integrity, analysis of cryptographic protocols, and access control in large systems and networks. (defn from ENTS 650)
CMSC 456 Data Encryption (Cryptology) Prerequisite: Two 400-level MATH courses or two 400-level CMSC courses or permission of department. Also offered as MATH 456. Credit will be granted for only one of the following: CMSC 456 or MATH 456 . Importance in protecting data in communications between computers. The subject lies on the border between mathematics and computer science. Mathematical topics include number theory and probability, and computer science topics include complexity theory.
ENPM 607 Computer System Design and Architecture (3) Prerequisite: ENEE 446 or equivalent. Principles of computer design and cost/performance factors; instruction set design and implementation, RISC vs. CISC instruction sets; control unit and pipeline design; floating-point arithmetic; memory hierarchy designs, caches, memory interleaving, virtual memory; I/O device interconnections to CPUs and main memory. Additional topics include parallel system designs, SIMD, MIMD, SPMD; interconnection networks for processors and memories; optimization of pipeline operations; superscalar architectures, power management techniques.
ENPM 608 Software Design and Implementation (3) Prerequisite: an undergraduate software course, knowledge of C or C++ programming. Software life cycle: rapid prototyping, requirements and specifications; architectural and detailed design; implementation; performance, debugging, testing, and maintenance. Design using abstract data types and objects. Implementation issues including error handling, arrays, linked lists, performance, multitasking, inter-process communication, and Makefiles. Application in client/server systems, distributed networks, real-time systems, operating systems, device drivers. Documentation, packaging, delivery, demonstration, and installation.
ENPM 644 Human Factors in Systems Engineering (3) Prerequisite: permission of department. Human perception of visual information, light signals, digital and analog presentation, pattern recognition. Sound information, alarms, sounds and speech identification. Practical consequences for design of information and operation panel layout for Systems-Human interaction. Sources of information distortion, human tolerance to errors. Human information processing, limitations in speed, information volume, accuracy in interpretation and error repairs by association and diagnosis.
ENRE 600 Reliability Engineering (3) Prerequisite: ENRE 620. Organization, management and communication concepts in reliablity engineering. Mechanisms and physics of failure, methods for failure-rate determination. Methods of design for reliability and maintainability. Life cycle costing and equipment sparing policies. Measuring reliability for improvement.
ENRE 648G Software Quality Assurance (3) Defining software reliability, initiatives and standards on software reliability, inherent characteristics of software which determine reliability, types of software errors, structured design, overview of software reliability models, software fault tree analysis, software redundancy, automating tools for software reliability protypes, and real time software reliability.

Master of Engineering Degree

Students who complete the Credential Program may continue to work towards the Master of Engineering (ME) degree by accumulating an additional 18 approved credits in the ENPM program.

Courseware & Course Delivery

Perhaps the most important aspect of the course effort is that all of the emerging course materials will be openly available on the Web, very much in the spirit of the open-source software movement. All of the course notes and related materials will be on-line (including new material associated with Peter Neumann's Computer-Related Risks book). See http://www.csl.sri.com/neumann/umd99.html.

Although only about half of the lectures are expected to be delivered in person, and the rest delivered by VTC from Neumann's facilities at SRI in Menlo Park CA, Neumann will be available for office hours prior to each lecture, and will otherwise be responsive to e-mail -- particularly if the Subject: line begins with "UMD" (to help distinguish it from the voluminous quantity of daily messages). Required Text

This is the only piece of course material that will not be directly accessible online. It is a reference already in publication that contains a lengthy analysis of some of the most glaring survivability incidents related to information technology, and stands as a unique resource highly relevant to course goals:

Peter G. Neumann, Computer-Related Risks, Addison Wesley/ACM Press, 1995. ISBN 0-201-55805-X, 384pp. paperback. Telephone orders within the U.S. 1-800-822-6339 or 1-800-447-2226. The original price was $24.75, $22.25 for ACM members (ACM Order #704943, 1-800-342-6626, or 1-212-626-0500 outside the US or inside metro NY), although the recent fourth printing price is higher. For example, Amazon lists it at $29.95.

Vast amounts of more recent material are on-line, in lieu of a second edition of the book. See http://www.csl.sri.com/neumann/ as well as the course notes.

Delivery

It is envisioned that most of the courses will be delivered through the Instructional TV (ITV) system that is currently in place at the University of Maryland. At some later date, these courses should be available as computer-based training (CBT-to distinguish educational courseware from the general accessibility of all course materials through the web/"online") delivered over the Internet or by CD-ROM. Distance learning methods tailored to individual needs (vs. groups at satellite sites) which are feasible for the first course offering are under consideration.

Course Logistics

ENPM 808S will be held Thursdays from 7pm to 9:40pm, Eastern time, from September 2 through December 9 (with no class on Thanksgiving). The primary lecture room will be Engineering Annex Building 0307 at College Park, broadcast to eight potential concurrent satellite sites through the ARL video bridge in Adelphi. Further instructions concerning distance learning logistics will be forthcoming.

Open Accessibility to Academia

The approach to course development that is undertaken in this project is a pioneering effort in rapidly bringing new material into the educational mainstream. Course materials will be freely open to reuse by other University professors and U.S. Government instructors, so that the course content can proliferate and can continually be improved iteratively over time, with collaboration from other instructors in the same spirit as how open-source software evolves. This approach follows the "copyleft" policy of the Free Software Foundation, rather than protective copyright.

All collaborative efforts or subsequent enhancements developed by others are intended to be made available as well. This approach of collaboration and feedback provides an effective way of quickly jump-starting the survivability program into universities and DoD training programs, and of subsequently enabling the course materials to keep up with changing times. An annual Information Systems Survivability (INFOSURV) education workshop, either held separately or as part of the INFOSEC Education Symposium, will review progress made in the collective curriculum archive and recommend standard core components.

Course Outline

The order of lectures and the specific content of each lecture is subject to change, and may be refined as the course progresses, based to some extent on the needs and backgrounds of the enrolled students. [Depending on my travel schedule, more lectures may be given live from UMd in addition to those noted below. PGN] [[The following list reflects the actual schedule rather than the preliminary planned schedule.]]

Week     Proposed topic                    Instructor    Date 1999
=================================================================

 1  Introduction to INFOSURV: overview,    PGN live       2 Sep
    outline of the course, expectations,
    guidelines for the course project,
    concepts, compromisibility, defenses

 2  Survivability-related risks, causes,   PGN live       9 Sep
    effects, analysis of case histories,
    common modalities, lessons to be learned
    (Y2K, development fiascoes, etc.)

 3  Threats to survivability, security,    PGN (with     16 Sep
    reliability, predictability, etc.      Tony Barnes)

 4  Requirements for systems survivability PGN           23 Sep
    and their relationship with subtended 
    requirements for security, reliability, 
    performance, et al.

 5  Deficiencies in existing systems,      PGN           30 Sep
    difficult requirements to meet,    
    missing components, needed research,
    dependence on human frailty, limitations

 6  Overcoming these deficiencies,         PGN            7 Oct
    what exists and what is needed --
    Part 1: architecture, components, 
    configuration management, infrastructure 
    issues, standards and criteria

 7  Overcoming these deficiencies --       PGN           14 Oct
    Part 2: role of security and fault     
    tolerance, software engineering and    
    good development practice

 8  Architectures for survivability 1:     PGN live      21 Oct (wk of NISSC)
    The system- and network-oriented                  [Project proposals
    approach; architectural components                due 22 Oct]
    and structural architectures; servers;
    mobile-code paradigms; composition

 9  Architectures for survivability 2:     PGN           28 Oct
    The importance of human interfaces;
    various open-source paradigms;
    real-time monitoring of survivability,
    including anomaly and misuse detection
    covering penetrators and insiders

10  Reliability in perspective: fault      PGN live       4 Nov
    tolerance, other constructive uses     
    of redundancy, robust mobile code,
    integration of security and reliability

11  Security in perspective: system and    PGN           11 Nov
    network security, trustworthiness,     with Virgil
    preventing denials of service (more    Gligor
    broadly than just defending against 
    attacks), roles of encryption, 
    secure mobile code

12  Architectures for survivability 3:     PGN           18 Nov
    integrating the requirements and       
    the components seamlessly,
    interoperably, predictably, etc.,
    assessing the big picture

--  No lecture on Thanksgiving             ---           25 Nov

13  Implementing and configuring for       PGN live      2 Dec
    survivability: putting it all
    together into a coherent approach
    to survivable systems and networks

14  Conclusions, research directions,      PGN in Cal    9 Dec
    hopes for the future, extensive with   with Virgil   [Completed
    open discussion (with some visitors)   Gligor at     projects 
    including topics such as roles of      UMD           due 9 Dec]
    formal methods, testing, various
    architectural alternatives, residual
    risks, lessons learned, etc.

Several of the lecture periods are enhanced with open discussions (e.g., in the final hour) that bring in a few experts with valuable experience from the relevant areas. A typical class period might involve a lecture-like first half, a break, and treatment of specific topics based on open discussion. [Lecture 7 was dedicated to John Gannon, whom had been expected to participate. John died on 12 June 1999. Lecture 10 was dedicated to my friend, colleague, and mentor, David Huffman, who died on 7 October 1999; I included some of his lesser-known work on error-correcting codes.]

Student Projects

In lieu of a final exam, there will be a final project for each enrolled student. Student proposals for final project topics (including an outline of the expected approach and the expected amount of effort required) will be due by e-mail to the instructor on 22 October, and responses will be provided by e-mail no later than 1 November. Guidelines for the types of projects to be considered and reasonable scopes of effort will be available at the beginning of the course. The procedures for carrying out the final projects will be discussed in class and individually as appropriate throughout the course.

The completed final project will be due on 9 December (by hardcopy, e-mail, or URL). Students will have the option to work on a topic of their choosing, such as one of the following, depending on the student's background and other concurrent courses, and within the scope of what would normally be expected of a student within a single course (including the effort that would otherwise be devoted to preparing for and taking a final exam). Proposals for group efforts will be considered where they make sense.

Here are some potential examples of possible course projects, constrained to some extent by scoping to make a reasonable effort that is commensurate with other courses, and subject to instructor's approval.

A. A written report analyzing articles or researching a particular relevant topic, such as robust algorithms, authentication, preventing denials of service, uses of public-key cryptography, how to make an open-source component more robust.
B. A paper design of a survivable subsystem or component and how it might integrate into a robust entirety.
C. A robustification effort based on existing open-source software, either as a paper or as a software development. (The latter is open-ended and certainly challenging.)
D. An analysis of what might be done in eliminating or reducing common software flaws (such as buffer overflows), through programming languages, constraints on style, precompilers, system constraints, misuse and anomaly detection, some combination of those, etc.
E. Some of the Challenges at the end of each chapter of my Computer-Related Risks book might also be appropriate where they are relevant to survivability.
F. Many other possible approaches.

Points of Contact:

LTC Paul S. Walczak - Director of Information Assurance and Information Survivability Programs, Army Research Lab, 2800 Powder Mill Road, Adelphi, MD 20783-1197. (301) 394-3862, pwalczak@arl.mil.

Anthony Barnes Army Research Lab, SLAD, C4I Branch, AMSRL-SL-EI (Anthony Barnes) Ft. Monmouth NJ 07703, (732) 427-5099, barnes@arl.mil

Dr. Arnie Seigel, Director, Instructional Television, Clark School of Engineering, (301) 405-4910

Dr. George Syrmos, Acting Director, Clark School of Engineering 301.405.3633 syrmos@eng.umd.edu

Dr. Peter G. Neumann, Computer Science Lab, SRI International EL-243, 333 Ravenswood Ave, Menlo Park CA 94025-3493 Tel 1-650/859-2375, Fax 2844, Neumann@CSL.sri.com http://www.csl.sri.com/neumann/

Dr. Neumann is a Principal Scientist in the Computer Science Laboratory at SRI International. He will be the primary instructor. He received AB, SM, and PhD degrees from Harvard in 1954, 1955, 1961, respectively. He moderates the Risks Forum newsgroup (comp.risks). He is a Fellow of the AAAS, ACM, and IEEE, and recipient of the ACM Outstanding Contribution Award for 1992, the Electronic Frontier Foundation Pioneer Award in 1996, and CPSR's Norbert Wiener in 1997.